In re Facebook Internet Tracking Litigation

Citations: 140 F. Supp. 3d 922; 2015 U.S. Dist. LEXIS 145142; 2015 WL 6438744Docket: Case No. 5:12-md-02314-EJD

Court: District Court, N.D. California; October 23, 2015; Federal District Court

SummaryOriginalCytator Case TreatmentBackward CitatorAnalysis

EnglishEspañolSimplified EnglishEspañol Fácil

The court granted Facebook, Inc.'s motion to dismiss a consolidated multi-district lawsuit filed by individuals with active Facebook accounts from May 27, 2010, to September 26, 2011, who sought over $15 billion in damages and injunctive relief. The lawsuit alleged that Facebook knowingly intercepted users' internet communications and activities after they logged out, utilizing cookies to track and store post-logout usage. Plaintiffs Perrin Davis, Cynthia Quinn, Brian Lentz, and Matthew Vickery claimed that these cookies, small text files embedded in their browsers, allowed Facebook to monitor their online activities. Federal jurisdiction for the case was established under 28 U.S.C. sections 1331 and 1332(d). Facebook's motion to dismiss was based on Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6), and after evaluating the arguments from both parties, the court found Facebook's arguments convincing, resulting in the dismissal of the case. The document also explains the function of cookies, which are files created by servers that store limited information related either to the browser or the user and allow servers to recognize returning users.

Plaintiffs allege that Facebook, founded by Mark Zuckerberg in 2004, has grown to become the largest social networking platform globally, boasting over 800 million users, including 150 million in the U.S. The success of Facebook is attributed to its strategy of encouraging users to create detailed personal profiles, which are then utilized to connect advertisers with users. Historically, 90% of Facebook's revenue derives from third-party advertising, driving the company to innovate ways to utilize user data for growth, despite not charging membership fees.

However, Plaintiffs argue that Facebook's membership is not truly free, as it requires users to provide sensitive personal information and accept multiple cookies. Facebook uses two types of cookies: session cookies, which are linked to a user's account and deleted upon logout, and tracking cookies (persistent cookies), which track internet activity and do not expire upon logout. These tracking cookies gather data whenever a user interacts with Facebook-related content across the internet, even if they do not have an account. 

For instance, if a logged-in user visits a news site with embedded Facebook content, both the session and tracking cookies send data back to Facebook, linking the user's online activity to their Facebook profile. This process allows Facebook to compile extensive user data, enhancing its advertising capabilities. The technical interactions involve specific cookies (such as "datr" and "c_user") that facilitate this data exchange, ultimately allowing Facebook to maintain a comprehensive database of user activities.

Facebook allegedly tracks users’ browsing activities even after they log out, contrary to its stated policies. This tracking is enabled by a persistent datr cookie, which is set when a user visits Facebook. For example, when a logged-out user visits CNN, the request for the “like” button triggers communication with Facebook's server, which logs the request and any associated identifiable information from the browser's cookies. Plaintiffs assert this tracking is specific enough to identify users without additional identification cookies. The datr cookie contains a unique identifier that links users’ browsing on partner sites back to their Facebook accounts. 

Moreover, the plaintiffs claim that Facebook created a P3P “compact policy” to bypass privacy settings in Microsoft’s Internet Explorer, facilitating the transmission of cookie information back to Facebook from non-Facebook websites. They argue that the personal information obtained, including browsing history, has significant economic value, evidenced by comparisons to Google's Screenwise Trends program, where users share internet usage data for rewards. Plaintiffs allege that the market value of their data can be quantified, estimating the worth of user contact information, demographic data, and browsing histories collectively amounting to billions when aggregated across Facebook’s user base.

Several lawsuits contesting Facebook's tracking practices were consolidated in court, leading to the filing of the currently operative pleading, the consolidated class action complaint (CCAC). The court has appointed interim class counsel for pretrial considerations.

A Rule 12(b)(1) motion challenges subject matter jurisdiction, which can be either facial or factual. A facial challenge relies solely on the complaint's allegations, assuming them to be true, to determine if federal jurisdiction is absent. Standing can be contested through this rule, placing the burden on the plaintiff to prove it. 

Rule 12(b)(6) requires a plaintiff to plead claims with sufficient specificity to notify the defendant of the claims and their basis, striving for a standard beyond mere speculation. A complaint may be dismissed if it lacks a valid legal theory or supporting facts. Courts typically do not consider materials beyond the pleadings but may include documents referenced in the complaint or those subject to judicial notice. Well-pleaded factual allegations are accepted as true, while legal conclusions and contradictory allegations are not.

In the discussion, the plaintiffs assert multiple claims, including violations of federal and state laws related to privacy and computer fraud. Facebook contends that all claims lack standing under Rule 12(b)(1) and that the fraud-based claims fail to meet the specificity requirements of Rule 9(b) under Rule 12(b)(6), arguing that the plaintiffs have not presented an actionable claim.

The constitutional standing doctrine ensures federal court resources are allocated to disputes where parties have a concrete stake. Standing under Article III requires three elements: 1) an “injury in fact” that is not hypothetical; 2) a causal connection between the injury and the defendant’s conduct; and 3) redressability, meaning a likelihood that a favorable court decision will remedy the injury. In the context of a class action, at least one named plaintiff must demonstrate an injury in fact. Courts have ruled that generalized claims of economic harm based solely on the perceived value of personal information are insufficient for standing. In LaCourt v. Specific Media, plaintiffs claimed economic loss due to the retention and use of their browsing data by Specific Media, which they argued deprived them of its value. However, the court dismissed the case for lack of standing, noting the plaintiffs failed to show actual deprivation of economic value or provide specific examples of how their ability to engage in value exchanges was compromised.

In Low v. LinkedIn Corporation, the court ruled that the plaintiff's claims of economic loss due to LinkedIn's sharing of personal information with third-party tracking cookies did not meet the requirements for Article III standing. The plaintiff failed to prove any real economic harm resulting from the transmission of his data. Similarly, in In re Google Inc. Cookie Placement Consumer Privacy Litigation, the court acknowledged that while plaintiffs’ personally identifiable information had some value, they did not show that Google's actions diminished that value or resulted in any economic loss, which is essential for establishing standing.

The decisions in these cases are relevant as the plaintiffs in the current case against Facebook make similar claims about the economic value of their personal information collected through cookies. Although the court accepts that plaintiffs attribute some intrinsic value to their data, they fail to connect that value to a specific economic harm or loss caused by Facebook's actions. The mere existence of a limited market for browsing histories and programs offering compensation for monitoring activity does not establish injury in fact. Furthermore, a plaintiff's vague allegations of consequential damages, such as charges for an email service related to Facebook's privacy policy changes, lack a clear connection to Facebook's conduct and are too speculative to support standing. Ultimately, the plaintiffs have not shown concrete and particularized harm resulting from Facebook’s practices, failing to articulate a valid basis for Article III standing.

Plaintiffs focus on statutory standing, not addressing Facebook's constitutional standing argument. The crux of the matter is whether the statutory claims in the CCAC meet federal standing requirements. Article III injury can stem from statutes that create legal rights, and Congress cannot eliminate these standing requirements by granting the right to sue to those without standing. The key question is whether the legal provision at issue grants judicial relief rights to the plaintiffs. Statutory standing requires a distinct injury to the plaintiff, even if it is shared with others. A claim's standing is evaluated under Rule 12(b)(6), not Rule 12(b)(1).

Plaintiffs’ arguments for statutory standing are weak for several claims. Common law claims do not benefit from statutory standing, as each claim must independently establish standing. Claims related to economic harm from loss of personal information, such as conversion and trespass to chattels, are subject to dismissal for lack of constitutional standing. Three statutory claims—under the UCL, CLRA, and CCCL—require economic injury for standing, aligning with Article III requirements. However, other statutory claims do not require economic injury to establish standing. Ultimately, federal standing often hinges on the nature and source of the claims presented.

Allegations of violations under the Wiretap Act and the Stored Communications Act (SCA) are sufficient to establish legal standing in this district. Individuals whose communications are unlawfully intercepted or disclosed can seek civil remedies under 18 U.S.C. § 2520(a) and § 2707(a). Courts have recognized that violations of these statutes constitute concrete injuries for Article III standing analysis. The California Invasion of Privacy Act (CIPA) also allows individuals to pursue claims without the need for proof of actual damages, as stated in Cal. Penal Code § 637.2. In the context of a case against Facebook, plaintiffs claim that their internet activity was tracked via the datr cookie after logging out, which they assert violates the Wiretap Act, SCA, and CIPA. The court affirms that these allegations sufficiently demonstrate a distinct injury under the relevant statutes, establishing statutory standing. However, the court notes that standing does not equate to the successful assertion of a plausible claim. Other claims, including those under the Unfair Competition Law (UCL), Consumer Legal Remedies Act (CLRA), and California Consumer Privacy Act (CCPA), will be dismissed with leave to amend due to lack of standing. The court does not address Facebook’s argument regarding Rule 9(b).

The court assesses whether Plaintiffs have presented a viable claim under the Wiretap Act, SCA, or CIPA. The Wiretap Act and the SCA are components of the Electronic Communications Privacy Act of 1986 (ECPA). The Wiretap Act prohibits the intentional disclosure of the contents of electronic communications during transmission, while the SCA addresses unauthorized access to electronic information stored in third-party systems. Specifically, under the SCA, individuals are liable for intentionally accessing a communication service without authorization or exceeding authorized access, leading to the alteration or prevention of access to stored electronic communications.

Facebook contends that Plaintiffs' Wiretap Act claim is inadequate because they did not assert that Facebook intercepted the "contents" of any electronic communication, as defined by the Act. The "contents" refer to the substance or meaning of the communication, not merely record information, such as names or addresses. The Ninth Circuit has clarified that elements like "referer headers" do not meet this definition. 

Plaintiffs generally allege that Facebook, through cookies, gathers personal information about logged-out users and their browsing activities. However, they also state that the cookies only contain unique identification information and browsing history, which do not qualify as "contents" under the Wiretap Act. Consequently, the court finds that Plaintiffs have not adequately stated a claim under this statute, especially considering the similarities to the referer headers discussed in the Zynga Privacy Litigation case. Thus, Plaintiffs may struggle to establish a Wiretap Act violation.

The SCA claim is insufficient because the statutory definition of “electronic storage” under 18 U.S.C. 2510(17)(A) refers specifically to temporary storage of communications during electronic transmission, which does not encompass cookies stored on users' computers. The definition is intended for scenarios like email services temporarily holding messages until delivery, as evidenced by case law such as In re Doubleclick Privacy Litig. and In re Toys R Us, Inc. Privacy Litig. The plaintiffs’ assertion that Facebook accesses personal information through persistent cookies contradicts this definition, and their cited case, Doe v. City and County of San Francisco, aligns with this interpretation as it involved temporary storage in a web-mail inbox.

Regarding the CIPA claim, California Penal Code 631(a) addresses unauthorized interception of communications. Facebook argues that the statute should not apply to electronic communications and claims it cannot be an unauthorized participant since it communicates with its server. However, this interpretation overlooks the plaintiffs' allegations of being unaware of Facebook’s tracking after logging out. The cited cases by Facebook involved scenarios where participants were aware of recordings, making them inapplicable here. Nonetheless, the plaintiffs failed to provide sufficient facts showing that Facebook employed a “machine, instrument, or contrivance” to obtain communication contents, although a computer could fit that definition.

Plaintiffs are required to demonstrate how Facebook’s cookies fit into one of three specified statutory categories, as the cookies are essential for the transmission of information between users’ computers and Facebook servers. They must provide factual support for their claim that cookies are a "contrivance," defined by them as a device or scheme. Currently, the plaintiffs merely describe cookies as small text files on users' computers awaiting server contact, failing to adequately allege that Facebook accessed communications linked to them. The allegations in the Consolidated Complaint (CCAC) are deemed vague and insufficient to establish a plausible claim under the California Invasion of Privacy Act (CIPA).

The court has granted Facebook’s Motion to Dismiss as follows: 
1. The claim for violation of the Computer Fraud and Abuse Act (CFAA) is dismissed without leave to amend.
2. Claims for invasion of privacy, intrusion upon seclusion, conversion, trespass to chattels, and violations of various consumer protection laws are dismissed with leave to amend due to lack of standing.
3. Claims under the Wiretap Act, Stored Communications Act (SCA), and CIPA are dismissed with leave to amend for failure to state a claim.

Facebook’s request for judicial notice of certain documents has been denied, as the decision was made without reliance on those documents. An amended complaint must be submitted by November 30, 2015, and a Case Management Conference is scheduled for January 14, 2016. The court notes that one claim related to the Platform for Privacy Preferences (P3P) has been withdrawn and will be dismissed without leave to amend. 

Regarding privacy claims, the court emphasizes the need for plaintiffs to demonstrate a reasonable expectation of seclusion, which is not met given that internet users typically lack privacy expectations regarding their browsing histories. Thus, the privacy claims are also dismissed for failing to state a claim.